Sebastian

**Name of the Vulnerable Software and Affected Versions** Biopython versions prior to 1.87 **Description** Bio.Entrez in Biopython allows doctype XML External Entity (XXE), which is a technique where an XML parser is tricked into processing external entities within a document type definition, potentially leading to unauthorized access to local files or server-side request forgery. **Recommendations** Update to version 1.87.

**Name of the Vulnerable Software and Affected Versions** LWsystems Benno MailArchiv version 2.10.1 **Description** An issue was discovered in LWsystems Benno MailArchiv, where attackers can cause cross-site scripting (XSS) via JavaScript content to a mailbox. **Recommendations** For LWsystems Benno MailArchiv version 2.10.1, as a temporary workaround, consider restricting the execution of JavaScript content in mailboxes to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** LWsystems Benno MailArchiv version 2.10.1 **Description** A CSRF issue was discovered. **Recommendations** For LWsystems Benno MailArchiv version 2.10.1, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** WPS Hide Login version 1.6.1 **Description** The issue allows remote attackers to bypass a protection mechanism. This is achieved by exploiting the `post password` parameter. **Recommendations** For WPS Hide Login version 1.6.1, consider updating to a newer version that contains a fix for this issue, as the current version allows attackers to bypass protection mechanisms via the `post password` parameter. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RhodeCode versions prior to 2.2.7 **Description** The issue allows remote authenticated users to obtain sensitive information, including API keys, by exploiting certain API methods. Specifically, the "update repo", "get locks", and "get user groups" API methods are vulnerable. **Recommendations** For versions prior to 2.2.7, update to version 2.2.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable API methods until a patch is applied. Avoid using the vulnerable API endpoints, such as "update repo", "get locks", and "get user groups", in your applications until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** kcheckpass (affected versions not specified) **Description** The issue allows local users to invoke any configured PAM stack, potentially triggering unintended side effects, by passing a user-supplied argument to the pam start function within a setuid environment. This can be achieved via an arbitrary valid PAM service name. The vendor notes that the possibility of resultant privilege escalation may be unlikely. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.